Malware protection

1. A method of detecting malware in a computer system, the method comprising: determining that an executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files; executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated environment by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment; monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act; and determining that the executable file is malware.

2. A method as claimed in claim 1 , wherein the step of determining that an executable file should be identified as not being legitimate is performed at the computer system.

3. A method as claimed in claim 1 , wherein the step of determining that an executable file should be identified as not being legitimate comprises: determining if an identifier for the executable file is contained in a database identifying legitimate executable files and, if not, identifying the executable file as not legitimate; determining if an identifier for the executable file is contained in a database identifying prohibited executable files and, if so, identifying the executable file as not legitimate; and determining if an identifier for the executable file is contained in a database relating to executable files, the database including a value indicating the legitimacy of each executable file and, if so, determining if the value associated with the executable file does not exceed a threshold at which an executable file is considered to be legitimate.

4. A method as claimed in claim 1 , further comprising monitoring whether the executable file attempts to connect to a remote location while being executed in the emulated environment, and if so, determining that the electronic file is malware.

5. A non-transitory computer storage medium having stored thereon a computer program comprising computer program code means that performs all the steps of: determining that an executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files; executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated environment by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment; monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act; and determining that the executable file is malware.

6. A computer system comprising: at least one processor; and at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the computer system to perform: determining that the executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files, and executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated computer system by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment, monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act, and determining that the executable file is malware.

7. A computer system as claimed in claim 6 , wherein the processor is further configured to generate a message for sending to a server, the message including the executable file or an identifier for the executable file, and to process a response received from the server to determine if it indicates that the file should be identified as not being legitimate.

8. A computer system as claimed in claim 6 , wherein the memory is further configured to store a database identifying legitimate executable files, and the processor is further configured to determine if an identifier for the executable file is contained in the database identifying legitimate executable files.

9. A computer system as claimed in claim 6 , wherein the memory is further configured to store a database identifying prohibited executable files, and the processor is further configured to determine if an identifier for the executable file is contained in the database identifying prohibited executable files.

10. A computer system as claimed in claim 6 , wherein the memory is further configured to store a database of information relating to executable files, the database including a value indicating the legitimacy of each executable file, and the processor is further configured to determine if an identifier for the executable file is contained in the database.

11. A computer system as claimed in claim 10 , wherein the processor is further configured to, if an identifier for the executable file is contained in the database of executable files, determine if the value associated with the executable file exceeds a threshold at which an executable file is considered to be legitimate.

12. A computer system as claimed in claim 6 , wherein the processor is further configured to monitor whether the executable file attempts to connect to a remote location while being executed in the emulated environment, and if so, determine that the executable file is malware.

13. An apparatus for detecting potential malware, the apparatus comprising: at least one processor; and at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the apparatus to perform: determining that the executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files, and executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated computer system by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment, monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act, and determining that the executable file is malware.

14. An apparatus as claimed in claim 13 , wherein when the apparatus is caused to perform executing the executable file and providing indications to the executable file that it is being executed within an emulated computer system, the apparatus is caused to: execute the executable file in the non-emulated computer system; intercept specified communications between the executable file and the apparatus during execution of the executable file; and respond to intercepted communications with data that is indicative of execution in an emulated computer system.